#!/usr/bin/env bash # Max R. P. Grossmann's Arch Linux install script with LVM2 on LUKS # under (U)EFI, with an btrfs root, the hardened kernel and NetworkManager # Licensed under CC0: https://creativecommons.org/publicdomain/zero/1.0/ # To run, simply boot the live disk and put this script into install.sh. # Run `chmod +x install.sh` and `./install.sh` to run. # THERE IS NO WARRANTY, AND RUNNING THIS SCRIPT INCORRECTLY WILL UTTERLY # DESTROY YOUR DATA. THERE IS NO WARRANTY. RUN AT YOUR OWN RISK. set -euo pipefail prompt () { echo "$(tput setaf 1)$1" echo -n "$(tput sgr0)" } if [ "$0" != "/install-chroot.sh" ] then [ -d /sys/firmware/efi ] || ( prompt "You need to enable EFI in order to run this install script." prompt "Please reboot into an EFI-enabled system and re-run this script." exit 1 ) while : do prompt "The following disks are available. To which do you want to install Arch Linux?" fdisk -l | grep "Disk /" prompt "To select a disk, enter something like ´/dev/sdz´ or ´/dev/nvme0n1´." prompt "SELECT WISELY, THERE IS NO WARRANTY. CONTINUE AT YOUR OWN RISK." prompt "If you specify the wrong disk, the data on it will be irrecoverably destroyed." prompt "Press Ctrl+C now to abort without making any changes." read -r device if [ -b "$device" ] then DESTDEVICE="$device" break fi done sgdisk -og "$DESTDEVICE" sgdisk -n 1:2048:+512M -t 1:ef00 "$DESTDEVICE" sgdisk --attributes=1:set:2 "$DESTDEVICE" sgdisk -n 2:0:0 -t 2:8300 "$DESTDEVICE" partprobe "$DESTDEVICE" if [ -b "$DESTDEVICE"1 ] then PART1="$DESTDEVICE"1 PART2="$DESTDEVICE"2 elif [ -b "$DESTDEVICE"p1 ] then PART1="$DESTDEVICE"p1 PART2="$DESTDEVICE"p2 else prompt "Could not find partitions. Stopping." exit 1 fi mkfs.vfat -F32 "$PART1" cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 10000 -y --use-random luksFormat "$PART2" cryptsetup luksOpen "$PART2" crypt TOTALMEM="$(($(grep MemTotal /proc/meminfo | awk '{print $2}') / 1024))M" while : do prompt "Please enter the size of the swap partition. This must" prompt "be something like ´512M´ or ´4G´. Even if you don't want" prompt "swap, please still specify a small amount, like 64M." prompt "You can always later remove swap using LVM." prompt "(You currently have $TOTALMEM of RAM.)" read -r swap if [[ $swap =~ [0-9]M || $swap =~ [0-9]G ]] then SWAPSIZE="$swap" break fi done pvcreate /dev/mapper/crypt vgcreate vg0 /dev/mapper/crypt lvcreate --size "$SWAPSIZE" vg0 --name swap lvcreate -l +100%FREE vg0 --name root mkswap /dev/mapper/vg0-swap mkfs.btrfs /dev/mapper/vg0-root swapon /dev/mapper/vg0-swap mount /dev/mapper/vg0-root /mnt mkdir /mnt/boot mount "$PART1" /mnt/boot pacstrap /mnt linux-hardened linux-firmware lvm2 btrfs-progs base base-devel efibootmgr nano vim networkmanager genfstab -pU /mnt >> /mnt/etc/fstab echo "tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0" >> /mnt/etc/fstab sed -i "s/relatime/noatime/g" /mnt/etc/fstab cp "$(basename "$0")" /mnt/install-chroot.sh echo "$PART2" > /mnt/part2 arch-chroot /mnt /install-chroot.sh exit 0 else # the following commands will only be executed inside the chroot PART2=$(cat /part2) while : do prompt "Please enter your timezone, something like ´Europe/Zurich´ or ´America/Shiprock´." read -r tz if [ -f "/usr/share/zoneinfo/$tz" ] then ln -s "/usr/share/zoneinfo/$tz" /etc/localtime break fi done hwclock --systohc --utc timedatectl set-ntp true prompt "Please enter the hostname of your new system." read -r hostname echo "$hostname" > /etc/hostname systemctl enable NetworkManager echo "en_GB.UTF-8 UTF-8" >> /etc/locale.gen echo LANG=en_GB.UTF-8 >> /etc/locale.conf echo LC_ALL= >> /etc/locale.conf locale-gen prompt "Please set a password for root." passwd sed -i "s/MODULES=()/MODULES=(btrfs)/g" /etc/mkinitcpio.conf sed -i "s/ filesystems keyboard / keyboard encrypt lvm2 filesystems /g" /etc/mkinitcpio.conf mkinitcpio -P bootctl --path=/boot install echo "default arch" >> /boot/loader/loader.conf echo "timeout 2" >> /boot/loader/loader.conf UUID=$(blkid | grep "$PART2" | cut -d'"' -f 2) ( echo "title Arch Linux (hardened)" echo "linux /vmlinuz-linux-hardened" echo "initrd /initramfs-linux-hardened.img" echo "options cryptdevice=UUID=$UUID:vg0 root=/dev/mapper/vg0-root rw audit=0" ) > /boot/loader/entries/arch.conf rm -f /install-chroot.sh /part2 prompt "Done! You may now reboot." fi